Last week I had the opportunity to remove Antivirus System Pro from not one, but two machines. Given that I was seeing it a bit more frequently I thought it might be a new rogue antivirus application, but I quickly found out that it’s been out at least since June of this year. I took notes on my removal so that I could document it here. Just as with most other rogue antivirus applications Antivirus System Pro is a rogue that claims that many things on your computer are infected with viruses (toolbars attached to the browser, most any application you attempt to launch.) It also repeatedly claims that your system is under attack. While web browsing, search result pages are hijacked to redirect to pages of their own choosing and there are occasional porn site popups. (adult.com was one – I suspect the writer has a bit of an affiliate relationship with them?) Read on for how to remove antivirus system pro.

Before we get into the real remoal of antivirus system pro, I want to fill you in on the other things you will see on a system infected with this. First you will be directed towards spyware-online-scanner.com which is the homepage of this rogue. You will see alerts as follows (spelling and grammar has not been corrected. There could be a few transcription errors, but the writers first language is likely not English.):

Windows Security Alert!
Application cannot be executed. The file avgcsrvx.exe is infected. Do you want to activate your antivirus now?

The above file is a component of AVG that this rogue refused to let run. Further I saw…

Antivirus System Pro Alert!

Infiltration Alert.
Your computer is being attacked by an internet virus. It could be a password stealing attack, a trojan-dropper or similar.
Details:

Windows reports that computer is infected. Antivirus software helps protect your computer against viruses and other security threats. Click here for the scan you computer. Your system might be at risk now.

Spyware Alert!
Vulnerabilies found. Your ocmputer is infected by spyware – 34 serious threats have been found while scanning your files and registry.

Antivirus system pro.

Browser opens up and loads adult.com

Other warnings….

win32/nuqel.E

Most every .exe file (and .bat and .cmd and .com) gives the warning that the file is infected and has been prevented from running. The only exceptions seem to be iexplore.exe and firefox.exe (You could copy/paste/rename taskmgr.exe to firefox.exe to run it and kill off the sqstsysguard.exe executable.)

I rebooted into safe mode and was able to install and run malwarebytes antimalware (find link on virus removal toolkit page.)
Before installing it though I ran the registry exe fix found at Doug Knox’s site. I chose safe mode with networking and was able to update and run a full scan which mostly cleaned the system. After reboot I updated and ran AVG and it cleaned up a few more files and a final scan with malwarebytes finished things off.

Among the things I found were sqstsysguard listed in Msconfig. This pointer was launching:
%docs%%user%Local SettingsApplication DatarbucduSqstsysguard.exe

The other files found and cleaned seemed to be in %temp% and were likely the installer from the original infection.

The first system that had this bug was unable to boot at one point. I had cleaned out in safe mode, rebooted normally and installed AVG 9. On the next reboot the operating system was not found. The partition table had been lost. I reconstructed the partition table using gpart and then rebooted, scanned with malwarebytes (this time a full scan) and AVG had run a partial scan.) Once again on reboot the partition table was missing. I fixed it yet again (gpart couldn’t do it this time – I had to manually rebuild.) Then ran a full scan (after imaging the drive.) I tested the hard drive every way I could (surface check with badblocks, smart testing, chkdsk to check filesystem.) All of the hard drive tests seem okay, the antivirus and malware scans have cleaned out a further trojan which I’m blaming for the moment. After all was cleaned I imaged the drive one more time with clonezilla just in case and several reboots later the system is back in production.

The second system was experiencing tons of drive read errors according to smartmontools and taking a very long time to load the desktop. I’m not sure if antivirus sytem pro was the culprit or if the drive had been failing independently. Either way I’m sure the rogue software pushed the drive harder with it’s constant scans and the repair scans with malwarebytes and avg certainly put it through it’s paces. Once the rogue was inactive I imaged the drive and replaced it. After replacement I did a few further clean up scans and all seems good.

Another example of the search hijacking I saw is as follows. On one system I pulled up google.com and did a search for malwarebytes. It showed a link to malwarebytes.org first and I clicked on it. The page I received was not malwarebytes.org but…. http://2009-d0wnloadz.com/malwarebytes-promo/index.php?source=CCN-CD277-MIVA-malwarebytes (BTW this was in firefox.) Needless to say, I didn’t trust the download link they gave and I retrieved it via other means.

What follows is the malwarebytes log file (before the infections were removed). It reports no action taken because the hadn’t yet been removed. Some of the items listed are coincidental and not related to Antivirus System Pro:

Disinfecting a PC… part 4So, AVG has been scanning away finding things we've really got a foothold on the system and the malware has a fight on it's hands. It's good to see progress. Up to this point we've had multiple Spool32 errors (printer related). These errors are what prompted the system to be......

How to Remove Desktop Security 2010 | Desktop Security 2010 Removal GuideDesktop Security 2010 is a rogue antivirus application. It is a successor to Total PC Defender and installs on your pc without permission through the use of malware. Once on your system it will create numerous files that it then finds during scheduled scans and it claims these files are......

Finding the Best WordPress Plugins for your BlogWordPress originally saw the light of day in 2003, and is now being used on thousands of different websites in countries all over the world. WordPress is designed to be a simple open source blogging tool that can be taken advantage of in two different ways: You can either take......

How To Remove Vista Internet Security 2011 VirusYou may be the latest victim of Vista Internet Security 2011. This name-changing virus has the different version, but no matter what version you have, the issues are the equivalent. The cyberpunks who formulated this virus were quite professional to make the program dynamically change its name according to windows......